Shai-hulud 2.0 Turns npm Installs Into a Full Cloud Compromise Path

A new wave of Shai-hulud malware is quietly weaponizing trusted npm packages to steal multi-cloud secrets and backdoor developer ecosystems at scale. 

The campaign, dubbed Shai-hulud 2.0, automates credential theft and supply chain compromise in a way that could ripple far beyond a single maintainer or project.

The malware is “… capable of stealing credentials and secrets from major cloud platforms and developer services, while automating the backdooring of npm packages maintained by victims,” said Trend Micro researchers.

Inside the Attack

Shai-hulud 2.0 spreads through a malicious npm package that abuses the preinstall lifecycle hook, triggering its execution the moment a victim runs npm install. 

The attacker modifies the package.json file so that the installation process launches setup_bun.js, a loader script responsible for preparing the environment. 

This loader first checks whether the Bun JavaScript runtime is installed and, if not, silently installs it using the official bun.sh installation script — making the activity appear legitimate. 

After installation, it reloads the system PATH and uses Bun to execute the main payload, bun_environment.js.

Once the payload runs, the malware inspects its execution environment to determine how aggressively it can operate. 

In CI/CD pipelines it executes immediately to maximize access to build secrets. On developer workstations, however, Shai-hulud 2.0 takes a stealthier approach. 

It spawns a detached background process so the npm install command completes normally, allowing credential theft and system compromise to continue unnoticed.

The payload then launches a comprehensive credential-harvesting phase. It extracts npm tokens from .npmrc files and verifies them via the npm whoami API. 

It collects GitHub credentials and uses them to create a new, attacker-controlled repository and register a self-hosted GitHub Actions runner, forming a covert command-and-control (C2) channel. 

The malware also scrapes environment variables and cloud configuration files to steal AWS, GCP, and Azure credentials, then uses those credentials to query AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault for all available secrets. 

To deepen the compromise, it automatically downloads and runs TruffleHog to scan the victim’s file system for hardcoded secrets such as API keys, tokens, and sensitive configuration strings.

If Shai-hulud 2.0 fails to obtain valid npm or GitHub tokens — meaning the attacker cannot propagate or exfiltrate data effectively — it escalates to destructive behavior. 

In these cases, the malware attempts to wipe the victim’s home directory entirely, turning an unsuccessful compromise into a data-destructive incident.

How Shai-hulud 2.0 Backdoors npm Packages at Scale

One of Shai-hulud 2.0’s most dangerous capabilities is its fully automated system for backdooring npm packages, enabling rapid, worm-like propagation across the software supply chain. 

The malware begins by enumerating all npm packages maintained by the compromised developer account, querying the npm registry and prioritizing the ones with the highest download volumes to maximize downstream impact. 

After identifying its targets, it downloads each package’s tarball, extracts the contents, and injects a malicious preinstall script designed to trigger the same setup_bun.js and bun_environment.js infection chain used in the original compromise. 

This ensures that any developer installing the updated package will unknowingly execute the malware before the package’s legitimate code even runs.

Once the modifications are complete, Shai-hulud 2.0 repackages the altered module and republishes it to the npm registry using the victim’s own authentication token — making the update appear legitimate and trustworthy. 

To avoid raising suspicion, the malware increments the version number by a single patch level, mimicking a routine bug fix or maintenance release. 

This creates a seamless delivery mechanism: downstream users or CI pipelines pull the new version automatically, triggering the infection silently.

Because every newly infected maintainer can have their own packages automatically modified and republished, the malware gains a wormable quality. 

Each compromised account becomes a new propagation node, enabling Shai-hulud 2.0 to spread exponentially across the npm ecosystem and potentially reach thousands of developers, applications, and organizations through trusted package updates.

How to Defend Against Shai-hulud–Style Supply Chain Attacks

Shai-hulud 2.0 highlights how a single compromised maintainer account can trigger widespread package backdooring, cloud-secret theft, and CI/CD infiltration. 

The following controls help reduce exposure and strengthen resilience against this type of campaign.

• Enforce phishing-resistant MFA, hardware keys, and least-privilege access for all npm, GitHub, and cloud identities.
• Monitor for unauthorized GitHub Actions workflows, self-hosted runners, unusual repository creation, and broad workflow token scopes.
• Restrict and frequently rotate access tokens, secrets, and cloud credentials while minimizing sensitive data stored in environment variables or config files.
• Audit npm packages for sudden lifecycle-hook changes, added installers, or malicious preinstall scripts, and maintain an internal allowlist for critical packages.
• Monitor cloud secret managers for abnormal enumeration, cross-region queries, or bulk secret access that may indicate compromise.
• Harden developer and CI/CD environments with EDR, script-execution monitoring, and strict review of package.json or workflow changes.
• Segment developer, CI/CD, and cloud roles to limit lateral movement and reduce blast radius if a maintainer or machine account is compromised.

As Shai-hulud 2.0 demonstrates, attackers are increasingly targeting the connective tissue of modern development — identity, automation, and package ecosystems — rather than individual vulnerabilities.

The Growing Threat to Modern Software Pipelines

Shai-hulud 2.0 is a stark reminder that modern threat actors aren’t just targeting endpoints anymore — they’re going after the core of how software is built and deployed: developer identities, automation pipelines, and cloud secret stores. 

The lesson is blunt: supply chain security isn’t simply about scanning dependencies; it’s about recognizing that any trusted maintainer or package can become an attacker-controlled distribution channel overnight. 

As campaigns like Shai-hulud grow more automated and more aggressive, organizations that fail to secure developer identities and harden CI/CD infrastructure risk having a single npm install become the entry point for a full cloud compromise.

And it’s why zero-trust, with its focus on strict validation rather than assumed trust, has become increasingly critical for software supply chain defense.